Google touts ‘fuzzing’ open source tool after discovering TinyGLTF bug
IMAGE: Pawel Czerwinski
Jonathan Greig September 8, 2022

Google touts ‘fuzzing’ open source tool after discovering TinyGLTF bug

Google touts ‘fuzzing’ open source tool after discovering TinyGLTF bug

Google researchers say they recently discovered a “trivially exploitable” open source vulnerability through a testing measure that they believe has the potential to find broader classes of vulnerabilities.

Dongge Liu and Jonathan Metzman, researchers with the Google Open Source Security Team, said they discovered CVE-2022-3008, a serious vulnerability in the widely-used TinyGLTF project that could have allowed hackers to execute malicious code in projects using the tool.

Metzman and Liu said they discovered the vulnerability using a tactic called “fuzzing,” which involves running code on randomized inputs to intentionally cause unexpected behaviors or crashes that signal bugs. The researchers added that fuzzing — once primarily known for detecting memory corruption vulnerabilities in C/C++ code — has “considerable untapped potential” to help experts find open source bugs.

Google’s community fuzzing service, which they named OSS-Fuzz, is currently being used to regularly check 700 critical open source projects for bugs. The tool recently discovered CVE-2022-3008.

“The bug was soon patched, but the wider significance remains: OSS-Fuzz caught a trivially exploitable command injection vulnerability. Though the TinyGLTF library is written in C++, this vulnerability is easily applicable to all programming languages and confirms that fuzzing is a beneficial and necessary testing method for all software projects,” the researchers said. 

Google built its fuzzing tool in 2016 as a way to address the Heartbleed vulnerability. That bug alarmed many in the open source community because it was a vulnerability in key encryption protocol OpenSSL. Experts noted at the time that the project “was being secured by one volunteer operating on a $3,000 shoestring budget living in England who’s barely been able to pay his electricity bill for months.”

Liu and Metzman said that bug “had the potential to affect almost every internet user, yet was caused by a relatively simple memory buffer overflow bug that could have been detected by fuzzing.”

“Since its launch, OSS-Fuzz has become a critical service for the open source community, helping get more than 8,000 security vulnerabilities and more than 26,000 other bugs in open source projects fixed. With time, OSS-Fuzz has grown beyond C/C++ to detect problems in memory-safe languages such as Go, Rust, and Python,” the researchers explained. 

The tool is continually updated to find more classes of vulnerabilities like Log4Shell, and the researchers said the TinyGLTF bug was found using one of the updated features. 

Google announced last week that it is launching an open source software vulnerability bug bounty program, offering cybersecurity researchers up to $31,337 in rewards for spotting bugs that can lead to supply chain compromises or other issues.

Liu and Metzman noted that for those interested in getting involved, Google is offering $11,337 for new additions to OSS-Fuzz that find at least two new vulnerabilities

“Fuzzing still has a lot of unexplored potential in discovering more classes of vulnerabilities,” the researchers said. “Through our combined efforts we hope to take this effective testing method to the next level and enable more of the open source community to enjoy the benefits of fuzzing.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.